On Mon, Jun 30, 2025 at 19:25:05 +0200, Peter Krempa wrote: > From: Peter Krempa <pkre...@redhat.com> > > Key encipherment is required only for RSA key exchange algorithm. With > TLS 1.3 this is not even used as RSA is used only for authentication. > > Since we can't really check when it's required ahead of time drop the > check completely. GnuTLS will moan if it will not be able to use RSA > key exchange. > > In commit 11867b0224a2 I tried to relax the check for some eliptic > curve algorithm that explicitly forbid it. Based on the above the proper > solution is to completely remove it. > > Resolves: https://issues.redhat.com/browse/RHEL-100711 > Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 > Signed-off-by: Peter Krempa <pkre...@redhat.com> > ---
I've tested this by creating a client certificate with following info: organization = test cn = HOST tls_www_server signing_key (thus missing 'encryption_key' field) Attempting to use currently relased libvirt results in: $ virsh -c qemu+tls://speedmetal/system list error: failed to connect to the hypervisor error: Certificate /etc/pki/libvirt/clientcert.pem usage does not permit key encipherment Whereas with patched libvirt: $ ./build/libvirt/gcc/tools/virsh -c qemu+tls://speedmetal/system list Id Name State ---------------------- 1 ha running